Fixing Office 365 DirSync account matching issues
Recently I had to fix some issues with DirSync. For some reason (there were some cloud users created before DirSync was enabled) there were duplicate users, because DirSync failed to match the already present cloud user and the corresponding AD (Active Directory) user. There were also accounts that failed to sync and thus failed to sync all attributes properly.
If there is already a cloud account and there is need for a synced account, you can create an AD account in DirSynced OU's. But be sure to create the user with a full UPN matching the one in Office 365 and SMTP addresses that are present on the Cloud account. With the next sync it should match both accounts. If not, it fails matching and you end up with either duplicate accounts (one cloud user and a DirSynced user with the same name/lastname/displayname) or get an InvalidSoftMatch.
When UPN/SMTP matching failed you can merge those accounts again by setting the ImmutableID on the Office 365 account (MsolUser) which is derived from the AD user’s ObjectGuid. You can only add this attribute to Office 365 accounts. After this is set, DirSync should match the accounts correctly.
So, how did I resolve this? See below:
When there are duplicates:
- Remove user from DirSync (move to OU which is not synced, will only work when OU Filtering is used. If not, disable DirSync…).
- Perform DirSync.
- Remove duplicate synced user (NOT cloud user):
- Remove-MSOLuser -UserPrincipalName <UPN> -RemoveFromRecycleBin
- Add ImmutableID from AD user to Cloud user
- $guid = (get-Aduser <username>).ObjectGuid
$immutableID = [System.Convert]::ToBase64String($guid.tobytearray()) - Connect to AD Azure (Connect-MSOLService when AD Azure Powershell Module is installed).
- Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
- It's possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
- See also http://www.joseph-streeter.com/?p=423
- $guid = (get-Aduser <username>).ObjectGuid
- Place account back in correct (synced) AD OU.
- Manually kick off a sync on the DirSync Server if you don’t want to wait (up to 3 hours with default settings):
- C:\Program Files\Windows Azure Directory Sync\DirSyncConfigShell.psc1
- Start-OnlineCoexistenceSync
In my case it didn’t always match the accounts and was required to perform a Full DirSync (on DirSync server):
- Via MIISClient, Management Agents:
- C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\missclient.exe
- Be sure to be member of local group "FIMSyncAdmins"
Names might be different depending on DirSync version - On the Windows Azure Active Directory Connector:
- Properties>Run>Full Import Delta Sync
- on the Active Directory Connector:
- Properties>Run>Full Import Full Sync
- Note that a Full Sync can take a long time if you have a lot of objects. Furthermore, changes can take a while to propagate in Office 365.
- It might be necessary to edit an attribute (Description, office etc. Something that is synced), and then perform a (normal) sync.
When you have an InvalidSoftMatch (SMTP Address matching doesn't work because SMTP address already exists in Cloud):
Within the MIISClient.exe on the DirSync server, you can check for errors. In this case the account wasn’t properly matched:
- Add ImmutableID from AD user to Cloud user:
- $guid = (get-Aduser <username>).ObjectGuid
- $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
- Connect to AD Azure (Connect-MSOLService when AD Azure Powershell Module is installed)
- Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
- It's possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
- See also http://www.joseph-streeter.com/?p=423
- Then perform a sync as described in the previous section.
In my case these procedures resolved my issues. But as always, use this information at your own risk. Best to make sure that you don’t end up in a situation like this
See also:
One or more objects don't sync when using the Azure Active Directory Sync tool http://support.microsoft.com/kb/2643629/en-us
How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization http://support.microsoft.com/kb/2641663/en-us
16:26
Nice article mate! Still valid only with different cmdline's and DirSync is replaced ;). How's it going anyway?
06:14
Sync'd a full AD and one user duplicated. Couldn't figure it out but this article saved me.
I also had to change the users UPN to the onmicrosoft account to link the GUID so I guess that was causing the problem from some reason.
Any idea if this works when users have been synced to a different AD in the past and trying to sync to a new AD?
Thank you!
14:43
I have tried this but keep getting an error inside powershell 3 when trying to run the cmdlet… The '<' operator is reserved for future use.
How do I get around this so I can ImmutableID?
22:53
Are you adding the "<" to the user name on the command line? If your = = guid = (get-Aduser joesmith).ObjectGuid
and
Set-MSOLuser -UserPrincipalName joesmith@domain.com -ImmutableID $immutableI
08:24
This complete article is stolen from the original blogs.msdn.microsoft.com/vilath/2015/05/26/how-to-fix-office-365-aadsync-smtpupn-matching-issues/ without any references.
WTF dude?! Reported to EU MVP leads.
08:59
Hi, thank you for bringing this to my attention.
However, you might want to check publication date of both posts. My post predates the one you found and aligns better with the dates found in the screenshot.
17:50
FYI: I've contacted my MVP lead regarding this issue as well.
15:53
Thanks for this article which I found really useful kicking off my project to migrate a bunch of users using hard matching. I created a script which covered my needs and thought perhaps your readers may find useful. It's available on my blog here https://cloudwyse.blogspot.com/2019/02/migrate-o365-mailboxes-using-hard.html
19:01
Thanks for the feedback and you blog post. On my reading list 😉
15:30
A useful bit of code to find mismatches:
https://github.com/Nathanac/PowerShell/blob/master/ImmutableId-Mismatch-Finder.ps1